8 minute read
Security through sleight of hand
SECURITY
THROUGH SLEIGHT OF HAND
Jim Cook, ANZ Regional Director, Attivo Networks
DECEPTION TECHNOLOGY IS PROVING TO BE AN INNOVATIVE AND SUCCESSFUL APPROACH FOR DEFENDING LOCAL GOVERNMENTS AGAINST CYBERSECURITY THREATS.
©stock.adobe.com/au/blackday
Tuning into the news, one might easily get the impression that local councils are disproportionately impacted by cybersecurity incidents compared to many other industry sectors.
Certainly in the US, municipal governments have proven easy targets for ransomware. Research shows 44% of them experience daily attack attempts, and a further 30% are unsure how many times their systems are being probed.
A perennial issue is that local governments are comparatively underresourced compared to other levels of government, let alone compared to the private sector. While the federal government is steadily improving its defences, funding for cybersecurity drops off steeply at state and local levels.
Small agencies with small budgets often find themselves short on both tools and talent, and vital hardware and software updates can often go untended for months or even years. This provides fertile ground for cybercriminals looking to take advantage of an easy target.
A recent audit report in NSW found 80% of councils do not have a cybersecurity policy or framework. Compare this to the private sector, where only 25% of organisations report they are not using a framework (according to a global survey of 1200 security professionals). The NSW audit also found 78% of councils in the state had no central register of cyber incidents, and 76% had not trained all staff in cybersecurity.
“Poor management of cybersecurity can expose councils to a broad range of risks, including financial loss, reputational damage and data breaches,” NSW Auditor-General Margaret Crawford found.
Local Government Professionals Australia, the peak body for local government officers, sought federal assistance at the end of last year to help councils address cybersecurity shortfalls.
Most local government senior executives “are acutely aware of the risks and vulnerabilities in the cybersecurity space but there is a resource gap in defending against them”, according to Local Government Professionals Australia CEO Clare Sullivan.
“Local government budgets are under increasing pressure here, with reduced revenue-raising capacity coupled with ageing infrastructure, increasing community expectations and cost shifting from other levels of government,” the organisation’s President, Mark Crawley, added.
SINGLE-PERSON (AND SMALL) SECURITY TEAMS Many local councils have invested heavily in end-point and network perimeter solutions — but once an attacker is through them, things can become very dark, very fast. Some also are restrained by having only a small security team with which to protect themselves, largely due to the cost of assembling and maintaining such a resource.
To prevent such small teams from becoming overwhelmed, and to supplement their skills, many are turning to new types of defensive systems such as ‘deception technology’.
Deception technology uses traps and lures — resembling genuine files, systems and credentials — that are placed within the network to fool attackers into engaging. Even the lightest engagement with these decoys triggers an alert that enables security to quickly respond to the incident and record the attackers’ behaviour.
The overwhelming feedback from those who have adopted this approach is that it solves a lot of use cases at the same time, the most common being detecting and stopping an attack once it has breached perimeter defences. Others include detecting ransomware attacks early, detecting credential theft, stopping lateral movement, and obtaining visibility of internal networks and cloud environments.
Deception technology is already widely adopted around the world and in the last year has begun to see traction with, and positive impact in, securing
Australian businesses. For small security teams, cyber deception has proven to be an accurate and efficient way to find threats that have bypassed prevention defences.
Modern deception will also include trickery that will deceive an attacker into believing that they have received the information they are seeking — whereas in reality, they are given fake data or credentials that will only lead them into a decoy environment and raise the alert of about an attempted object or data theft.
This sleight of hand creates a situation where the attacker can no longer trust what they see or the tools they use. This can be a powerful deterrent when used with traps and lures that keep attackers occupied and away from genuine systems.
The increased complexity for the attacker can be quite effective in slowing the attack, and will often lead them to abandon their efforts and look for a softer target.
Deception technology is proving to be the augmentation and assistance that many single-person and small security teams need to tip the scales back in their favour. By using machine learning, the solution can be easily deployed and maintained without requiring additional staffing. Responders can also react quickly since every alert is engagement-based and comes with the attack details needed to quickly respond to the threat. This is critical for small teams so that they can prioritise their efforts on real incidents and not go chasing false positives or nuisance alerts. PREVENTION VS PROACTIVITY Traditionally, cybersecurity efforts have tended to focus on preventative techniques. However, when you consider the growing numbers of breaches that continue to occur each year, this approach alone is no longer sufficient.
Instead organisations should add proactive techniques, to detect early and control the actions of their attacker, into their security mix. They will then be in a better position to detect and derail threats much earlier so that criminals cannot establish a foothold or complete their planned attack.
Taking the time now to examine cyber deception options, and make them a part of a security architecture, will reduce risk and better prepare an organisation for threats as they arise.
Calendar
2nd AUSEC 2020
Melbourne: 9–11 September Intelligence into new hacking techniques and exploits. claridenglobal.com/conference/ausec-cyber-security/
AusCERT Cyber Security Conference
Gold Coast: 15–18 September Speakers, tutorials, workshops and networking opportunities. conference.auscert.org.au
IoT Festival 2020
Melbourne: 9 October Explore trends, challenges, opportunities and applications of the IoT. www.iothub.com.au/iotfestival
Australian Cyber Conference 2020
Melbourne: 27–29 October Providing leaders with cybersecurity insights and best practices skills. cyberconference.com.au
Comms Connect New Zealand 2020
Sydney: 28–29 October Panels, case studies, tech insights and training for critical comms users. sydney.comms-connect.com.au
Tech in Gov 2020
Canberra: 3–4 November Two days of learning and networking for government ICT leaders. www.terrapinn.com/conference/technology-ingovernment/
Featured product
Conference room devices
Poly (formerly Plantronics and Polycom) has introduced a series of Poly Microsoft Teams Rooms — the Poly G10-T, G40-T and G80-T. These room solutions include audio and video innovations that are specially designed for Microsoft Teams and provide IT managers with a solution for any size of room, from a huddle room to a large meeting room. Easy to manage and with enterprise support, they join the previously announced Poly Studio X family, which will also offer a native Teams collaboration experience. Poly www.poly.com/au/en
GOVERNMENT IN THE CROSSHAIRS
Dylan Bushell-Embling
©stock.adobe.com/au/kras99
Australia’s government sector overtook finance as the second most targeted sector by cyber attackers in 2019, according to NTT’s latest 2020 Global Threat Intelligence Report.
Attacks on the government sector accounted for 26% of all attacks on industry during the year, placing the sector behind technology (35%) but well ahead of finance (13%), education (11%) and professional services (8%).
While government was also the second most targeted sector globally, it accounted for just 16% of attacks.
The most common attack types targeting Australian industries include application-specific attacks (40%), web application attacks (20%) and DoS or DDoS attacks (19%).
DDoS attacks on Australian organisations were more common in other regions, the report also finds. Meanwhile, application and web application attacks accounted for nearly 60% of all attacks combined, above the global average of 55%.
The report also finds that the majority (59%) of malware attacks use one of the top five most common malware families in Australia — conficker, zmeu (IoTroop), chinachpper, jsp and cknife.
But despite the significant hostile cyber-activity targeting in Australia in 2019, NTT’s report finds that Australia has a “generally mature cybersecurity profile” — particularly in the finance and manufacturing industries.
The report also includes an analysis of the ways the COVID-19 pandemic is shaping the threat landscape. It finds that phishing attacks leveraging COVID-19 started as early as midJanuary, and that attack volumes are escalating daily.
New malicious websites posing as official information sources for COVID-19 data are being created at a rate which sometimes exceeds 2000 per day.
Campaigns leveraging the crisis are also being used to spread a range of malware variants, including Emotet, Trickbot, Lokibot, Kpot and the new ransomware variant CoronaVirus.
The crisis has also caused an increase in cyber attacks on healthcare and support organisations involved in COVID-19 response work.
NTT has also observed the use of an open redirect which pushes informationstealing malware to infected systems, and prompts the user to download a ‘COVID-19 Inform App’ purportedly from the World Health Organisation.
The report states that the crisis has shown the need for organisations to implement technologies and processes capable of anticipating and preventing attacks and other disruptions before they can impact regular operations.
NTT is also urging organisations to ensure they’re addressing challenges associated with the threat landscape evolving with COVID-19, such as the related surge in remote working.
This requires clearly and effectively communicating changing business and security requirements, policies and procedures to employees, while ensuring employees flag roadblocks to effective collaboration and workflow.
“The current global crisis has shown us that cybercriminals will always take advantage of any situation and organisations must be ready for anything,” commented Matthew Gyde, President and CEO of NTT’s Security division.
“We are already seeing an increased number of ransomware attacks on healthcare organisations and we expect this to get worse before it gets better. Now more than ever, it’s critical to pay attention to the security that enables your business; making sure you are cyber-resilient and maximising the effectiveness of secure-by-design initiatives.”
NTT’s annual Threat Intelligence Report is based on data from log, event, attack, incident and vulnerability data from clients, as well as analysis from the company’s Global Threat Intelligence Platform.
